Orcus RAT hidden in Coca-Cola video

Cybersecurity vendor Morphisec has released the details of a malware campaign distributing the Orcus Remote Access Trojan (RAT). The RAT is hidden inside a Coca-Cola video and when the user watches the video, the RAT installs itself on their computer. This is not the first malware campaign, by a threat actor Morphisec calls PUSIKURAC, that uses the Orcus RAT.

This allows the malware attached to the video to then execute with the same privileges and install on the machine

Gather data and send it back to the command and control (C&C) servers

The Morphisec researchers point out that the UAC bypass mechanism used here is not new. It is a vulnerability that malware has been using for over two years. The malware uses the ConfuserEx obfuscation framework. This enables it to avoid detection by security software.

Interestingly, in the analysis, the Morphisec team point out that the software uses anti-VM techniques. This is almost certainly to limit detection by security teams.

Malware or Legitimate software gone wrong?

Orcus RAT has been around for several years. It was openly sold as an administrator tool until recently. What this shows is the problem of determining whether a product is for good or bad. There are a lot of commercial remote access products out there. Some are used by organisations to get to machines and others are used by security researchers.

In the case of Orcus RAT, the original developer claimed this was a commercial product that had attracted interest from the military. However, he also engaged with hacking groups on how to use the product. Orcus RAT has been used in a number of different attacks over the past few years.

In 2016 Brian Krebs used information from the MalwareHunterTeam (@malwrhunterteam) that took a close look at Orcus and the person behind it. The comments at the bottom of the article are interesting and show the developer trying to justify what he did. That wasn’t enough to close the product. That news came on Jan 16, 2019. According to the site, the Orcus Project is closed although the software and source code is being made available free.

The developer also claims that there is a kill switch for security researchers to stop all badly behaving Orcus RAT servers that they find. He also asks that they don’t take down all instances so that legitimate users are not penalised. It will be interesting to see how that plays out.

Enterprise Times: What does this mean

Any administrator tool can be used for good or bad but that doesn’t mean they should not be created or used. However, supporting people who are openly using the product for bad calls the whole purpose of the tool into question. More importantly, since the Krebs piece back in 2016, Orcus RAT has been named in a number of malware campaigns. It has also been tracked and monitored by several security companies.

Defending against these attacks is not simple. Proper patching and deployment of security software is one step. Another is to limit the privileges that users have to what they need. This won’t completely defeat UAC attacks but it does make the attacker work harder.

Now that the code has been made freely available, Morphisec says it expects to see more attacks using Orcus RAT.

Ian has been a journalist, editor and analyst for over 30 years. While technology remains the core focus of Ian's writings he also covers science fiction, children toys, field hockey and progressive rock. As an analyst, Ian is the Cyber Security and Infrastructure Practice Leader for Creative Intellect Consulting Ltd.
A keen hockey goalkeeper, Ian coaches and plays for a number of clubs including Guildford Hockey Club, Alton Hockey Club, Royal Navy, Combined Services, UK Armed Forces and several touring sides. His ambition is to one day represent England. Ian has also been selected to be the goalkeeping coach for Hockey for Heroes, a UK charity supporting the UK Armed Forces.

On February 12th, Cointelegraph reported “Major global online payments firm Netpay International has partnered with Israeli firm BNC LedgerTech to integrate blockchain into its services, … Netpay International will reportedly become the...